以下文章为外网翻译,关于审计追踪从FDA和欧盟双视觉进行了分析类比,是2025年07月的文章,原始文章链接为:(但要注意,欧盟的附录11(与PICS联合发布),计算机化系统,在2025年7月发布了草稿,在次文章发表之后又更新的法规指南,故文章中关于此有滞后性,其他法规指南没有滞后性,均为现行版)https://www.technologynetworks.com/informatics/articles/audit-trail-requirements-for-a-digitalized-regulated-laboratory-401729
Digital transformation of analytical processes requires suppliers to design and implement audit trail(s) (AT) that are fit for intended use in a regulated laboratory. In addition, second person review of electronic data requires critical examination of the pertinent audit trail entries of each analysis performed using a computerized system. This is good analytical science as well as good regulatory compliance.
分析流程的数字化转型要求供应商设计并实施审计追踪(AT),使其适用于受监管实验室的预期用途。此外,对电子数据的双人复核要求,需对采用计算机化系统开展的每项分析中相关的审计追踪记录进行严格审查。这既是优良分析科学的体现,也符合良好的监管合规要求。
This article discusses options for reviews, the regulatory requirements and guidance for audit trails, audit trail design, procedures for audit trail review and explains how to apply ALCOA++ principles for effective review of entries.
本文探讨了复核方式、审计追踪相关的法规要求与指导原则、审计追踪设计、审计追踪复核流程,并阐述了如何运用 ALCOA++ 原则对记录进行高效复核。
The aim of this article is to help laboratory staff, quality personnel and suppliers improve audit trail design, functionality and review and long-term record retention.
本文旨在帮助实验室人员、质量管理人员及供应商完善审计追踪的设计、功能、复核工作以及长期记录保存。
The meaning of system, application and software can be different within GxP sources, however, in this article we use these words interchangeably. In the short term, meaningful artificial intelligence (AI) audit trail review is some time away and is out of scope. Our focus is on having effective functionality in an application to automatically identify potential problems in AT entries.
在不同 GxP 法规文件中,系统、应用程序和软件的定义可能存在差异,但本文中这几个术语可互换使用。短期内,具备实际应用价值的人工智能(AI)审计追踪复核尚不成熟,且不在本文讨论范围内。我们的重点是在应用程序中实现有效功能,以自动识别审计追踪记录中的潜在问题。
Overview of GxP audit trail regulations GxP 审计追踪法规概述
We will start with a brief explanation of the history of the main GxP regulations and guidance documents for audit trail. Regulatory requirements are important. If you do not understand the regulations and their history and intent, how can you know a selected system provides you with adequate capabilities to monitor changes and deletions, as well as enabling efficient review of audit trail entries?
我们将首先简要介绍审计追踪相关主要 GxP 法规与指导文件的发展历程。法规要求至关重要。若不理解法规本身、其发展背景与制定意图,你又如何判断所选用的系统是否具备足够能力,可对数据修改与删除行为进行监控,并支持对审计追踪记录开展高效复核?
Food and Drug Administration (FDA)
The earliest implicit or explicit regulatory requirement for an audit trail for automated data systems (e.g., computerized systems) was issued in 1978: the US GLP (Good Laboratory Practice) regulations 21 CFR 58.130(e):
… In automated data collection systems, the individual responsible for direct data input shall be identified at the time of data input. Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified.
Promulgated in the same year was 21 CFR 211,2 but this regulation has no explicit mention of audit trail. However, since 2005 and the Able Laboratories fraud case3 review of original records for accuracy, completeness, and compliance with established standards in 21 CFR 211.194(a)(8) has been interpreted to include electronic records and audit trail entries in computerized laboratory systems. 同年颁布的还有 21 CFR 211,但该法规并未明确提及审计追踪。不过,自2005 年Able Laboratories 造假案发生后,21 CFR 211.194 (a)(8) 中关于对原始记录进行准确性、完整性及符合既定标准方面审核的要求,已被解读为涵盖计算机化实验室系统中的电子记录与审计追踪记录。 The electronic records; electronic signatures regulation (21 CFR 11) issued in 1997 has two clauses for audit trails.4 The first is 11.10(a) that requires a technical control to discern … altered records. This is the trigger for the audit trail requirements under 11.10(e): 1997 年颁布的《电子记录;电子签名法规》(21 CFR 第 11 部分)包含两项针对审计追踪的条款。第一项是 11.10(a),要求通过技术管控识别…… 被修改的记录。这也正是第 11.10 (e) 条中审计追踪相关要求的立法依据:
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.使用安全的、由计算机生成的、带时间戳的审计追踪,独立记录操作人员创建、修改或删除电子记录时各项操作的日期和时间。对记录的修改不得掩盖先前已记录的信息。此类审计追踪文件的保存期限,至少应与对应电子记录的法定保存期限一致,并可供监管机构查阅和复制。
Although, the FDA Part 11 Scope and Application guidance5 issued in 2003 allowed audit trail enforcement discretion for legacy systems operational when 21 CFR 11 was published, we advise you to ignore this. Audit trails are critical for digitalized operations. 尽管 FDA 在 2003 年发布的《第 11 部分范围与应用指南》中,对 21 CFR 11 颁布时已在使用的遗留系统,允许在审计追踪执行上酌情处理,但我们建议您忽略此项规定。审计追踪对数字化运营至关重要。 In 2016, FDA published a draft GLP update entitled the GLP Quality System where 21 CFR 58.130(a) would have been updated to include reference to ALCOA criteria and that data must be credible, internally consistent, and corroborated. However, there is no sign when a final version will be issued. 2016 年,FDA 发布了一份题为《GLP 质量体系》的 GLP 修订草案,其中拟对21 CFR 58.130(a) 进行更新,加入对ALCOA 原则的引用,并明确要求数据必须真实可靠、内部一致且可相互印证。然而,该终稿的正式发布时间尚无明确迹象。 Recently FDA issued a guidance on Electronic Systems, Electronic Records, and Electronic Signatures Clinical Investigations: Questions and Answers.7 (We will call it FDA Clinical Q&A Guidance for convenience). This is significant as it is the first Part 11 guidance that has been issued since 2003.5 If the portions on clinical studies and digital health technologies are ignored, the document provides current advice on FDA’s interpretation of 21 CFR 11 for GMP (Good Manufacturing Practice) and GLP. 近期,FDA 发布了一份题为《电子系统、电子记录与电子签名 —— 临床研究:问答》的指南文件。(为方便表述,下文简称《FDA 临床问答指南》。)该指南意义重大,是 2003 年以来 FDA 发布的首份针对第 11 部分的指南。若剔除其中关于临床研究与数字健康技术的内容,本文件即代表了当前 FDA 对21 CFR 11在 GMP(良好生产规范)及 GLP 领域适用解读的最新指导意见。
Q12 states: To ensure the trustworthiness and reliability of electronic records, audit trails must capture electronic record activities including all changes made to the electronic record, the individuals making the changes, and the date and time of the changes and should include the reasons for the changes. Audit trails should be protected from modification and from being disabled …Q12 中指出:为确保电子记录的真实性与可靠性,审计追踪必须记录电子记录相关操作,包括对电子记录所做的所有修改、执行修改的人员以及修改日期和时间,并应包含修改原因。审计追踪应受到保护,防止被篡改或禁用……
… Persons must still comply with all applicable predicate rules. Even where there are no predicate rule requirements related to documentation, it is nonetheless important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the electronic records.相关人员仍须遵守所有适用的基础法规(Predicate Rules)。即便在无文件相关的基础法规要求时,建立审计追踪或其他物理、逻辑、流程类安全措施,对保障电子记录的真实性与可靠性依然至关重要。 The last paragraph is very interesting for two reasons. First, procedural controls for audit trails have no place in a digitalized laboratory. Second, audit trails are important for ensuring the trustworthiness and reliability of e-records even when there is no predicate rule in place.This is consistent with the scope of 21 CRF 11.1(b): 最后一段内容颇具深意,原因有两点。第一,在数字化实验室中,流程性控制手段不适用于审计追踪管理。第二,即便不存在相应的基础法规要求,审计追踪对于保障电子记录的真实性与可靠性依然至关重要。这与 21 CFR 11.1(b)的适用范围保持一致。
… This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations …
…… 本部分规定同样适用于依据《联邦食品、药品和化妆品法案》及《公共卫生服务法案》相关要求向监管机构提交的电子记录,即便此类记录未在监管机构法规中被明确列明……
Any research data as a part of a regulatory submission must comply with 21 CFR 11 regulations including those for audit trail.
作为监管申报资料组成部分的任何研究数据,均必须遵守 21 CFR 11 法规要求,其中包括审计追踪相关规定。
Q13 states Should an audit trail record every key stroke?
问题 13 指出:审计追踪是否需要记录每一次按键操作?
Summarising the answer: No.
对该问题的答复总结如下:不需要。
EU and PIC/S GMP Annex 11
欧盟及药品检查合作计划(PIC/S)GMP 附录 11
Annex 11 has been a regulation for over 30 years.
附录 11 作为法规已实施三十余年。
1992: Annex 11 was originally published and clause 10 on audit trail stated: 1992 年:附录 11 首次发布,其中关于审计追踪的第 10 条款规定:
… Any alteration to an entry of critical data should be authorised and recorded with the reason for the change …对关键数据记录的任何修改,均应经过批准,并记录修改原因。 2011: The current version of Annex 11 contains two clauses relating to audit trail9: 2011 年:现行版本的附录 11 包含两项与审计追踪相关的条款。 9. Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. 应基于风险评估,考虑在系统中内置对所有与 GMP 相关的修改和删除操作进行记录的功能(即系统生成的 “审计追踪”)。对与 GMP 相关数据的修改或删除,应当记录原因。审计追踪需可查阅,并可转换为易于理解的格式,且应定期审核。
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.12.4 数据与文件管理系统的设计,应能记录录入、修改、确认或删除数据的操作人员身份,以及操作日期和时间。 Annex 11 is currently being revised and clause 9 has 7 proposed changes (Items 18–24) that illustrate the importance of audit trail and its review by regulators.The draft for industry comment will be released this year. 附录 11 目前正在修订中,第 9 条款提出了 7 项修改建议(第 18–24 项),这些内容体现了审计追踪及其由监管人员开展审核的重要性。面向行业征求意见的草案将于今年发布。
ICH E6(R3) Good Clinical Practice (GCP)
ICH E6 (R3) 药物临床试验质量管理规范(GCP)
The GCP guidelines were updated in January 2025, and section 4.2.2 (b) states:
该 GCP 指南已于 2025 年 1 月更新,其中第 4.2.2 (b) 条款规定:
Ensuring that audit trails, reports and logs are not disabled.Audit trails should not be modified except in rare circumstances (e.g., when a participant’s personal information is inadvertently included in the data) and only if a log of such action and justification is maintained;
确保审计追踪、报告及日志不被禁用。审计追踪不得被修改,除非在极少数情形下(如数据中不慎包含受试者个人信息),且仅在保留该操作记录及理由的前提下方可进行。
The first sentence is consistent with regulatory guidance discussed above.
第一句话与上文讨论的监管指南要求相一致。
However, the second sentence is in direct contradiction with all other GxP regulations. Audit trails must be secure and computer-generated. They must not be changed. What do the writers of the regulation propose for recording of such changes? A paper log? If there was this functionality available to delete a subject’s personal information, it is a function for carte blanche falsification of clinical data.
然而,第二句话与所有其他 GxP 法规直接相悖。审计追踪必须安全可靠且由系统自动生成,严禁人为修改。法规制定者究竟建议如何记录此类修改?难道用纸质记录?若系统具备删除受试者个人信息的功能,无异于为临床数据随意造假敞开了大门。
No audit trail, no problem? 没有审计追踪,就万事大吉?
GxP guidance documents give a crumb of hope where a system has no audit trail by giving consideration for alternative measures:
GxP 指南文件在系统无审计追踪的情况下,通过考虑采用替代措施,带来了一线希望。
- 6.13 …Where relevant audit trail functionality does not exist (e.g., within legacy systems) an alternative control may be achieved …
若相关审计追踪功能不存在(例如在老旧遗留系统中),可采用替代控制措施… 9.6 … If no electronic audit trail system exists a paper-based record to demonstrate changes to data may be acceptable until a fully audit trailed (integrated system or independent audit software using a validated interface) system becomes available … 9.6 …… 若不存在电子审计追踪系统,在配备完整审计追踪功能的系统(集成式系统,或采用已验证接口的独立审计软件)投入使用之前,采用纸质记录来证明数据的变更是可以被接受的…… However, no audit trail function will NOT work in a digitalized laboratory. To work electronically, an audit trail is critical to ensuring trustworthiness and reliability of GxP records and electronic data. Our advice is to replace all legacy systems without audit trails.
然而,在数字化实验室中,没有审计追踪功能是行不通的。要实现电子化运行,审计追踪对于确保 GxP 记录和电子数据的可信性与可靠性至关重要。我们的建议是:更换所有不具备审计追踪功能的老旧系统。
Regulatory reality 监管现实
As shown in Table 1, if you are going to digitalize your laboratory, using software without adequate audit trail functionality is unacceptable from practical, scientific and regulatory perspectives.
如表 1 所示,若计划对实验室进行数字化改造,从实际操作、科学合理性及合规监管角度来看,使用不具备充分审计追踪功能的软件是不可接受的。
Table 1: Reference to audit trail in GxP regulations and regulatory guidance.
表 1:GxP 法规及监管指南中关于审计追踪的相关条款引用
Regulation/guidance 法规/指南 | Requirement 要求 |
FDA Clinical Q&A Guidance 7 | Q12 … To ensure the trustworthiness and reliability of electronic records, audit trails must capture electronic record activities … 为确保电子记录的可信性与可靠性,审计追踪必须能够记录电子记录的相关操作活动…… |
Concept Paper on the revision of Annex 1110 | 18 … such systems without audit trail functionality is not acceptable; any grace period within this area has long expired. 此类不具备审计追踪功能的系统是不可接受的;该领域的任何宽限期早已届满。 |
Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (PIC/S PI 041-1)13 | 9.6 … Companies should select software that includes appropriate electronic audit trail functionality. …… 企业应选用具备合规电子审计追踪功能的软件。 Companies should endeavour to purchase and upgrade older systems to implement software that includes electronic audit trail functionality. 企业应尽力采购并升级老旧系统,以部署具备电子审计追踪功能的软件。 |
OECD GLP No 22 Data Integrity14 | 6.13 Some GLP Compliance Monitoring Authorities may not accept systems without audit trail functionality including those with alternative control measures … 部分GLP 合规监管机构可能不接受不具备审计追踪功能的系统,包括已采取替代控制措施的此类系统。 |
EMA GMP Annex 11 (2011)9 | 9. … Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail") …应基于风险评估,考虑在系统中内置所有与 GMP 相关的修改及删除操作的记录生成功能(即系统自动生成的 “审计追踪”)…… |
Caveat emptor! 买家当心!
Smith and McDowall reviewed 104 FDA 483 and warning letter citations for infrared spectrometer systems; of these, 15% were due to lack of an audit trail.
史密斯和麦克道尔梳理了 104 份针对红外光谱仪系统的 FDA 483 表格缺陷项及警告信案例,其中 15% 的问题源于缺少审计追踪。
This means that the system selection process was deficient as either the compliance features were not assessed or lack of an AT was not considered significant or not turned on.
这表明系统选型流程存在缺陷,原因在于:要么未对合规功能进行评估,要么认为缺少审计追踪(AT)无关紧要,或是未启用该功能。
Therefore, before selecting a computerized system, a laboratory must ensure that the compliance features are in place, otherwise, your digitalized workflows will be hybrid and you run the significant risk of regulatory citations.
因此,在选用计算机化系统之前,实验室必须确保合规功能已完备;否则,数字化工作流程将形成混合模式,并面临被监管机构出具缺陷项的重大风险。
A system without an audit trail has no place in a regulated laboratory. Also, not saving data when the system is capable of doing this will result in a warning letter.
在受监管的实验室中,没有审计追踪的系统根本没有立足之地。此外,若系统具备数据保存功能却未执行保存操作,同样会导致警告信。
ALCOA++ criteria for audit trail entries
审计追踪记录的 ALCOA++ 原则
As noted by the PIC/S PI 041-1 guidance and the proposed GLP Quality System, audit trail entries should meet ALCOA+ criteria. What does this mean?
正如 PIC/S PI 041‑1 指南以及拟议的 GLP 质量体系中所指出的,审计追踪条目应符合 ALCOA+ 原则。这具体意味着什么?
The 10 ALCOA++ criteria for data integrity stand for:
用于数据完整性的 10 项 ALCOA++ 原则分别代表:
Attributable, Legible, Contemporaneous, Original, Accurate (ALCOA), 可归属、清晰、同步、原始、准确(ALCOA 原则) Complete, Consistent, Enduring, Available (ALCOA+) and 完整、一致、持久、可获取(ALCOA+),以及 Traceable (ALCOA++). 可追溯(ALCOA++)
A detailed discussion on the origin and meaning of the ten criteria is available and Figure 1 interprets how to apply ALCOA++ principles to audit trail entries.
本文对这十项原则的起源与含义进行了详细论述,图 1则阐释了如何将 ALCOA++ 原则应用于审计追踪记录。
Figure 1: ALCOA++ requirements for audit trail entries.
图 1:审计追踪记录的 ALCOA++ 要求
Audit Trail Design 审计追踪设计
There are nine main audit trail(s) design elements and functions that suppliers must incorporate into their application for effective use in any digitalized regulated laboratory, see Figure 2.
图 2:审计追踪关键设计要素与功能
1. Audit trail cannot be turned off 审计追踪功能不可关闭
The first design requirement is a technical control for any audit trail to work from installation of the software and cannot be turned off. This is to eliminate any possibility of users or system administrators turning an audit trail off to hide data falsifications or deletions. The ability to turn audit trails off and then back on again is cited in warning letters and 483 citations.
第一项设计要求是:任何审计追踪均需设置技术控制措施,自软件安装起即生效,且无法被关闭。此举旨在彻底杜绝用户或系统管理员通过关闭审计追踪来掩盖数据造假或删除行为的可能性。在多份 FDA 483 缺陷项和警告信中,均提及了 “可关闭后重新开启审计追踪” 这一违规问题。
2. Database or flat file? 采用数据库还是纯数据文件?
Implementing an application where data files are stored in directories in the operating system is not a recommended option for an effective audit trail. Where this has occurred, AT entries were stored within the data file itself. The problem is that these files were vulnerable via the operating system and, if deleted, the audit trail did not record the deletion on the file’s journey to the recycle bin. Therefore, the only way to design an effective audit trail is to use a database that monitors the whole system.
对于实现有效的审计追踪而言,将数据文件存储在操作系统目录中的应用模式,并非推荐方案。若采用此种方式,审计追踪(AT)记录会直接保存在数据文件内部。其问题在于,这类文件通过操作系统极易被操作;一旦文件被删除,审计追踪并不会记录该文件被移至回收站的删除行为。因此,设计有效审计追踪的唯一方式,是采用能够对整个系统进行监控的数据库。
Also, any application should be designed so that there is no backdoor access to data to prevent falsification via administrators and avoid audit trail entries.
此外,任何应用程序在设计时均应杜绝数据的后门访问,以防止管理员通过此类途径篡改数据,并避免出现绕过审计追踪记录的行为。
3. Single audit trail or separate system and data audit trails? 单一审计追踪,还是独立的系统审计追踪与数据审计追踪?
It is important to point out that the lifetime of e-records and data usually exceeds the lifetime of the computerized system that generates them.
需要特别指出的是,电子记录与数据的保存周期,通常会长于生成这些数据的计算机化系统的使用寿命。
From a system design perspective, there are two alternatives for audit trail design:
从系统设计角度来看,审计追踪设计有两种方案:
A single AT covers all activities within a system such as system configuration, user account management, user log on and off, instrument connections and any incidents, plus data acquisition, modification and, if allowed deletion. This is good at giving an overall big picture BUT unless there are effective search routines for second person review, quality oversight and data integrity audits this apparently, simple approach has problem of separating the wood from the trees.
单一审计追踪(AT) 可覆盖系统内所有操作,例如系统配置、用户账户管理、用户登录与登出、设备连接及各类异常事件,还包括数据采集、修改以及(在允许情况下的)删除操作。这种方式能够很好地呈现整体全貌,但除非配备高效的检索程序用于复核、质量监督及数据完整性审计,否则这种看似简单的方法会存在难以从海量信息中筛选关键内容的问题。
Another consideration is the analytical instrument acquiring data. A polarimeter is an instrument where data collection is relatively simple with little data manipulation. Compare this with a complex instrument such as an LC-MS-MS which will generate much more data which can be subject to interpretation of the data by a user.
另一项需要考虑的因素是采集数据的分析仪器。旋光仪这类仪器的数据采集流程相对简单,几乎不存在数据人为处理操作。与之相比,液相色谱 - 串联质谱(LC-MS-MS)等复杂仪器会产生海量数据,且这些数据往往需要操作人员进行解读分析。Ask the Expert: Sustainable ScienceA separation of entries between system and data audit trails is a far better approach that permits more effective audit trail review as well as efficient archive and restore, as we shall discuss later. Figure 3 shows the audit trail coverage of a system and data audit trail. The data audit trail focuses on the data life cycle and will be subject to second person review and data integrity audits. The system audit trail records the events of system configuration, user account management, instrument connections and operational status and is subject to data integrity audits and periodic review. Both audit trails should have functions to record on-line reviews as discussed later in this section.
将系统审计追踪与数据审计追踪分开记录,是一种更为优越的方案,既能让审计追踪的审阅工作更高效,也便于实现有效的归档与恢复,这一点我们将在后续内容中展开讨论。图 3 展示了系统审计追踪与数据审计追踪的覆盖范围。数据审计追踪聚焦于数据生命周期,需执行双人复核与数据完整性审计。系统审计追踪则记录系统配置、用户账户管理、设备连接及运行状态等事件,用于开展数据完整性审计与定期审阅。两类审计追踪均应具备记录在线审阅情况的功能,相关内容将在本节后续部分说明。
Figure 3: Design for separate system and data audit trails.
图 3:独立式系统审计追踪与数据审计追踪设计
4. Contemporaneous recording of changes 同步记录变更情况
As shown in Figure 1, one of the ALCOA++ criteria is contemporaneous recording of data changes coupled with the corresponding entries in the audit trail. Q12 of FDA’s Data Integrity and Compliance with CGMP guidance says:
如图 1 所示,ALCOA++ 原则中的一项要求是对数据变更进行同步记录,并在审计追踪中生成相应条目。美国 FDA《数据完整性与 CGMP 合规指南》中的问题 Q12 指出:
Draft issued in 2016: 2016 年发布的草案:
… it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record. Electronic data that are automatically saved into temporary memory do not meet CGMP documentation or retention requirements.
…… 在生成永久记录之前,将电子数据先存储在临时内存中并允许对其进行修改,这种做法是不可接受的。自动保存至临时内存中的电子数据,不满足 CGMP 对文件记录与留存的要求。
This was modified in the final guidance issued in 2018:
该内容在 2018 年发布的最终指南中已作修订:
... For example, chromatographic data should be saved to durable media upon completion of each step or injection (e.g., peak integration or processing steps; finished, incomplete, or aborted injections) instead of at the end of an injection set, and changes to the chromatographic data or injection sequence should be documented in an audit trail. Aborted or incomplete injections should be captured in audit trails and should be investigated and justified ...
…… 例如,色谱数据应在每一步操作或进样完成后(如峰积分、数据处理步骤;已完成、未完成或中止的进样)立即保存至持久存储介质,而不是等到整组进样结束后再保存。对色谱数据或进样序列的修改,均应在审计追踪中记录。中止或未完成的进样应在审计追踪中予以记录,并开展调查、说明理由……
Both quotes are valuable for understanding how data changes should be identified and recorded as they occur in an audit trail. Although focused on chromatography, it is applicable to any laboratory data system.
这两段引文对于理解应如何在数据变更发生时,在审计追踪中对其进行识别和记录具有重要参考意义。尽管内容侧重于色谱分析,但其原则同样适用于所有实验室数据系统。
5. Time stamp detail 时间戳精度
Again, an ALCOA++ criterion is contemporaneous. We have split the time and date stamp discussion into two. An accurate time stamp is vital in determining the sequence of events in a computerized system. Time stamp accuracy was addressed in the FDA’s withdrawn guidance on time stamps as within a minute which can be interpreted as ±30 or 60 seconds. Time zone is also important in global systems and an additional time stamp of UTC / GMT (Coordinated Universal Time / Greenwich Mean Time) can be used to verify consistent and sequential actions in a global digitalized workflow.
同样,ALCOA++ 原则包含同步性要求。我们将时间和日期戳的讨论拆分为两部分。准确的时间戳对于确定计算机化系统中的事件顺序至关重要。FDA 关于时间戳的已撤销指南中曾提及,时间精度需在一分钟内,这可被解读为 ±30 或 60 秒。时区在全球系统中同样重要,因此可附加使用 UTC / GMT(协调世界时 / 格林尼治标准时间) 时间戳,以验证全球数字化工作流程中操作的一致性和顺序性。
However, there is no regulation or guidance document that states or suggests the detail of the time stamp itself. There are three possible options:
然而,尚无任何法规或指南文件对时间戳本身的详细精度作出规定或建议。主要有三种可行方案:
HH:MM HH:MM:SS HH:MM:SS.X(X)
The time stamp can be either a 12 or 24-hour clock but the former requires AM or PM to be added, however the latter option is unequivocal. Option 1 is useless as many activities can occur in a minute. Option 2 is a possible option in a standalone system but if several activities occur in a second, it is only the order of AT entries that can infer the order of activities. Option 3, where time is recorded to 1/10 or 1/100 second, is better for multi-user systems.
时间戳可采用12 小时制或24 小时制,前者需标注上午 / 下午(AM/PM),而后者表述更为明确。方案 1 毫无实用价值,因为一分钟内可能发生多项操作。方案 2 可用于单机系统,但如果一秒内发生多项操作,只能依靠审计追踪条目的先后顺序来推断操作次序。方案 3 将时间记录至0.1 秒或 0.01 秒,更适用于多用户系统。
An issue arises in regions where there are summer/wintertime changes. FDA’s 2007 clinical guidance notes:
在涉及夏令时 / 冬令时切换的地区,会出现一个问题。FDA 2007 年的临床指南中指出:
There is no expectation to document time changes that systems make automatically to adjust to daylight savings time conventions.
对于系统为遵循夏令时惯例而自动进行的时间调整,无需将此类变更记录在文件中。
If used, ensure these automatic adjustments are in your specifications.若采用夏令时自动调整功能,应确保此类自动调整已纳入系统规格说明中。
The sequence of time stamping activities in any system must be understood so that a clear explanation can be given in audits and inspections.
必须明确任何系统中时间戳相关操作的先后顺序,以便在审计和检查时能够清晰说明。
6. Date stamp detail 日期戳详细要求
Completing the time stamp is the date format; there are several different date formats that could be used:
与时间戳配套的是日期格式;可采用的日期格式有多种:
DD-MM-YY(YY) MM-DD-YY(YY) YYYY-MM-DD DD-MMM-YY(YY)
Adding the day of the week is an option in some systems.
部分系统还支持添加星期几作为可选信息。
Regardless of the format selected, it must be communicated to all, understood and be consistent throughout an organization, especially global ones.
无论选用何种格式,都必须向所有人员传达、确保理解无误,并在整个组织内保持一致,尤其是跨国企业。
Controls should be established to ensure that the system's date and time are correct. The ability to change the date or time should be limited to authorized personnel, and such personnel should be notified if a system date or time discrepancy is detected.
应建立控制措施以确保系统日期和时间准确。修改日期或时间的权限应仅限授权人员,若检测到系统日期或时间存在偏差,应及时通知相关授权人员。
Any changes to date or time should always be documented.
对日期或时间的任何修改均应始终记录在案。
For an accurate time and date stamp, a network has a timeserver from which all the active equipment on the network is synchronized. In turn, the timeserver is synchronized with a time source typically a national observatory, a network time protocol (NTP) server or global positioning satellite (GPS).
为实现准确的日期和时间戳,网络需配备时间服务器,网络中所有在用设备均与该服务器进行时间同步。而该时间服务器再与标准时间源同步,通常为国家天文台、网络时间协议(NTP)服务器或全球定位系统(GPS)。
One last discussion point about combined date and time stamps is the recorded time and the presented time. The system may record the time as UTC and the operating system may present that in local time. An alternative in some systems is to record two time stamps: local and UTC. You should understand how any system records date and time before purchase as this might have a bearing on validation and routine operation.
关于日期与时间戳组合的最后一个讨论要点是记录时间与显示时间。系统可能以协调世界时(UTC)记录时间,而操作系统以本地时间呈现。部分系统的另一种方案是同时记录两种时间戳:本地时间与协调世界时(UTC)。在采购前应充分了解各系统记录日期和时间的方式,因为这可能对验证工作和日常运行产生影响。
7. Predefined or configurable reasons for change 预定义或可配置的变更原因
As seen in Table 2, regulations and regulatory guidance require a reason for change. EU GMP Chapter 4 requirement when making a change is a reason should be added as appropriate as this may be obvious if using paper, unlike GLP regulations.
如表 2 所示,法规及法规指南均要求提供变更原因。欧盟 GMP 第四章规定,在进行变更时应酌情添加变更原因—— 这一点在纸质记录中可能显而易见,因此与 GLP 法规的要求有所不同。
In contrast, Annex 11 focuses for computerized systems where a transcription error or change is not obvious; hence, the reason for change is mandatory. When working electronically a reason for any data change is critical for traceability, integrity and trustworthiness. In our view, the only configuration required for any audit trail is if it is silent (no reason for change required e.g., typically activities at a system level or method development activities) or a user is forced to add a reason for changes and modifications to data.
与之相反,附录 11 主要针对计算机化系统,在此类系统中,转录错误或数据变更并不直观可见,因此变更原因属于强制要求。在电子化工作环境下,任何数据变更均需注明原因,这对于可追溯性、数据完整性与可信度至关重要。我们认为,对审计追踪唯一需要进行的配置是:区分该审计追踪为静默模式(无需填写变更原因,通常适用于系统级操作或方法开发类活动),还是强制用户在对数据进行变更与修改时必须填写原因。
Software functionality should offer the ability for a laboratory to add predefined and context sensitive reasons for change. This has the advantage of speed and consistency of reasons for change, avoiding users typing the same reasons every time and if further input is required then a free text option could be used as well.
软件功能应支持实验室添加预定义且与场景相关的变更原因。这样做的优势在于提高录入效率并保证变更原因的一致性,避免用户每次重复输入相同内容;如需补充说明,也可同时提供自由文本录入选项。
This infographic presents the latest proteomics software platforms providing comprehensive solutions that streamline your entire workflow from data acquisition to publication-ready results.
本信息图展示了最新的蛋白质组学软件平台,这些平台提供全面解决方案,可简化从数据采集到可直接用于发表的结果输出的全流程工作。
Table 2: GxP requirements to reason for change.
表 2:GxP 对变更原因的相关要求
Discipline 法规 | Requirement 要求 |
GLP | Any change in entries shall be made so as not to obscure the original entry, shall indicate the reason for such change … 对记录内容的任何修改,均不得掩盖原始记录,并应注明修改原因…… |
8.3 5. … Reason for changes should be given. 应注明变更原因。 | |
6.6 … Reason for changes should be given and recorded 应当注明并记录变更原因。 | |
GMP | 9 … For change or deletion of GMP-relevant data the reason should be documented... 对于与 GMP 相关数据的修改或删除,均应记录其原因…… |
4.9 … Where appropriate, the reason for the alteration should be recorded 应酌情记录修改原因。 | |
GCP | 6.2.1 … The audit trail should show … where applicable, why (reason for change) 审计追踪应当显示…… 在适用情况下,显示变更原因。 |
MHRA | 6.13 … The reason for any change, should also be recorded 任何变更的原因均应予以记录。 |
PIC/S PI 041-1 | 9.6 … what action occurred, was changed, incl. old and new values; … why the action was taken (reason) 发生了何种操作、进行了哪些变更,包括旧值与新值;…… 采取该操作的原因(变更理由) |
WHO TRS 996 Annex 05 | it should be possible to … and a reason for the change recorded where applicable 应能够…… 并在适用情况下记录变更原因。 |
8. Documenting an AT review 审计追踪审核的记录工作
A digitalized laboratory must eliminate paper. To achieve this, any audit trail review must be documented within the computerized system by the reviewer. However, this is a major failing of audit trail system design as very few applications have this functionality, meaning that the review will be recorded on paper. We will return to this subject later in this listicle.
数字化实验室必须摒弃纸质记录。为此,所有审计追踪审核均须由审核人员在计算机化系统内完成记录。然而,这正是当前审计追踪系统设计中的一大短板 —— 极少有软件具备此项功能,这意味着审核记录最终仍需以纸质形式留存。本文后续内容中将再次探讨这一问题。
9. Archive and restore 归档与恢复
The design of audit trail has significant impact on the ability of archiving and restoring e-records including all associated metadata. This topic will be discussed later in this listicle.
审计追踪的设计,对电子记录(含所有关联元数据)的归档与恢复能力具有显著影响。本文后续部分将对此展开讨论。
Procedure or procedures for audit trail review?
审计追踪审核规程(一份还是多份?)
Let us assess these two PIC/S PI 041 statements:
让我们对 PIC/S PI 041 中的这两项声明进行评估。
9.6 … determining which specific trails and which entries within trails are of significance for review …
确定哪些具体的审计轨迹,以及轨迹中的哪些记录项对审核具有重要意义。
9.8 … the regulated user should establish an SOP that describes in detail how to review audit trails …
受监管用户应制定一份标准操作规程(SOP),详细说明如何开展审计追踪审核。
Second person review is not just a review of audit trail entries. The process must review records from sample management to the reportable value to comply with GxP regulations (21 CFR 194 a (8),26 Chapter 6.1727). As Figure 4 depicts, in our view, it is more practical to establish a single overarching SOP (Standard Operating Procedure) to describe the principles of second person review and have separate specific SOPs for review of each application’s audit trail(s).
双人复核并非仅仅是对审计追踪记录的审核。该流程需审核从样品管理至可报告数值的全过程记录,以符合 GxP 法规要求(21 CFR 194 (a)(8)、第 6.17 章节)。如图 4 所示,我们认为更具实操性的做法是:制定一份总体性主 SOP(标准操作规程),阐述双人复核的原则;同时为各应用系统的审计追踪审核分别制定专项 SOP。
It is simply not practicable to have a single SOP that describes in detail how to review all audit trails. For example, a reviewer will need information to access the audit trail(s) in a system and then understand how to search the audit trail to find relevant change or deletion.
仅制定一份 SOP来详细描述如何对所有审计追踪进行审核,这在实操中完全不可行。例如,审核人员需要获取相关信息,才能进入系统中的审计追踪,并知晓如何检索审计追踪内容,以定位相关的修改或删除记录。
A single SOP for all systems? Really? How big would the SOP be? Let us see…
所有系统共用一份 SOP?真的可行吗?这份 SOP 得有多冗长?我们不妨来看一下……
Figure 4: Overview and options for audit trail review.
图 4:审计追踪审核概述及方案选择
All audit trails are the same – except for the differences
所有审计追踪本质上都是一样的 — 只是存在细节差异。
Although GxP audit trail regulations are similar, all suppliers interpret these requirements differently and the audit trail design in each system varies greatly both in function and scope.
尽管 GxP 法规中对审计追踪的要求大体相似,但各供应商对这些要求的解读各不相同,且各系统的审计追踪在功能和范围上设计差异极大。
Figure 4 shows four options for audit trail review. Each system and data audit trail review must be based upon detailed knowledge of the functionality within each computerized system. All examples below have audit trail functionality and are used to illustrate the differences in review. This justifies why there should be a separate SOP for each system. Each procedure will instruct a reviewer how to access the relevant audit trail and how a review will be conducted.
The audit trail design and validation activities of each system will impact the extent routine audit trail review. PIC/S PI 041-1 (9.6.1) talks about:
各系统的审计追踪设计与验证活动,将会影响日常审计追踪审核的范围和程度。PIC/S PI 041‑1(9.6.1)中提及:
Review by exception – focusing on anomalous or unauthorised activities.例外审核法 —重点关注异常或未经授权的操作行为。
Providing the system has been validated to demonstrate that the application identifies these issues and none has been identified when analyzing a series of samples, then no further review is required, except documenting the review electronically.
前提是该系统已完成验证,能够证明其可识别此类问题;且在对一系列样品进行分析时未发现任何异常情况,则无需开展进一步审核,仅需以电子形式记录本次审核即可。
Note, in the four examples below no user role can delete data; this avoids the need for a reviewer to search for deletions. Only data changes are considered here.
请注意,在以下四个示例中,任何用户角色均无法删除数据;这就省去了审核人员查找删除记录的步骤。此处仅考虑数据修改的情形。
- System 1: There is a single audit trail with no search function in the software. 系统 1软件仅包含单一审计追踪,且无搜索功能。
To avoid printing the audit trail, all relevant audit trail entries are exported as a CSV (Comma-Separated Values) file for searching using a spreadsheet or Tableau. This option creates an unsecured file that can be modified so that it must be securely handled. For standalone systems, this export can create further problems in that a USB (Universal Serial Bus) device may be required to transfer a file to a secure location on the network, creating a further data integrity problem. This is a nightmare, and the best solution is to upgrade or replace this system.
为避免打印审计追踪,所有相关审计追踪条目将导出为 CSV(逗号分隔值)文件,以便在电子表格或 Tableau 软件中进行检索。但该方式会生成无安全保护的文件,存在被篡改的风险,因此必须对其进行安全管控。对于单机系统,执行导出操作还可能引发更多问题 —— 如需使用 U 盘(通用串行总线设备)将文件传输至网络中的安全位置,进而产生新的数据完整性风险。这一问题极为棘手,最佳解决方案是对该系统进行升级或更换。 - System 2: Again, there is a single audit trail with no search function in the software and no ability to export the entries as a CSV file. In this situation, the audit trail entries for the batch are printed to PDF, which is given a unique file name and is part of the analytical batch record. Only one user role is capable of modifying data in this system. Using Control F, the PDF file is searched for such a user role. If none is found, the review stops. If such a user has logged on, all the applicable entries can be highlighted and reviewed to see if this user has made any changes to data or settings. The highlighted section will aid Quality Assurance (QA) oversight and inspections. Part of the system validation involves a user making changes that are identified by searching the PDF file printed from the audit trail. Although there is an option to print out the audit trail, the search would be manual, which is slow and error prone and not consistent with a digitalized laboratory.
系统 2:同样,该软件仅有单一审计追踪,无搜索功能,也无法将记录导出为 CSV 文件。在此情况下,该批次的审计追踪记录会打印为 PDF 文件,赋予唯一文件名,并作为分析批记录的一部分进行归档。系统中仅有一个用户角色具备数据修改权限。可通过 PDF 的 “查找(Ctrl+F)” 功能检索该用户角色。若未检索到相关记录,审核即可终止。若检索到该用户已登录,则需高亮显示所有相关记录并开展审核,确认该用户是否对数据或系统设置进行过任何修改。高亮标注的内容将便于质量保证部门(QA)进行监督和检查。系统验证工作包含一项内容:由用户执行修改操作,再通过检索打印自审计追踪的 PDF 文件,确认能否识别出这些修改。尽管可以选择打印审计追踪记录,但人工检索速度慢、易出错,不符合数字化实验室的管理要求。 - System 3: This system has a powerful search capability for audit trail entries. Searches can be predefined for specific change events, and these are executed by the reviewer to see if any changes have been made and if they are appropriate. Search outputs are stored in the analysis folder of each the analytical run within the system. To help a review, a large screen is advised so the audit trail can be in one window and data/meta data in another.
系统 3:本系统具备强大的审计追踪条目检索功能。审核人员可针对特定的变更事件执行预设查询,以确认是否存在数据变更以及变更是否合规。检索结果存储在系统内各次分析序列的分析文件夹中。为便于审核,建议使用大屏显示器,从而可在一个窗口查看审计追踪,另一窗口查看数据及元数据。
- System 4: Here, there are two audit trails for system and data. All data audit trail entries are recorded in color: green for no data changes, yellow for data changes and red for data deletion. As stated above, no users, not even administrators, have data and meta data deletion privileges. The audit trails functionalities have been validated. Therefore, reviewer looks for yellow entries for the analysis. If none are seen, there is no further review needed.
系统 4:该系统包含系统审计追踪和数据审计追踪两类审计轨迹。所有数据审计追踪条目均采用彩色标识:绿色表示无数据变更,黄色表示数据已修改,红色表示数据已删除。如前所述,任何用户(包括管理员)均不具备删除数据及元数据的权限。该系统的审计追踪功能已完成验证。因此,审核人员只需查看分析过程中是否出现黄色条目即可。若未发现黄色条目,则无需开展进一步审核。
A further extension of the functionality could be to have a statement that there are no data modifications. Again, this functionality needs to be validated to provide confidence in the correctness of identifying modified data. During a periodic review or data integrity audit, a focus would be to review runs with no changes to confirm continued correct operation of the application. This option is a review by exception that is a faster and simpler way of audit trail review.
该功能还可进一步扩展:由系统自动生成无数据修改的提示声明。同样,此功能必须经过验证,以确保其识别修改数据的准确性可靠。在定期回顾或数据完整性审计期间,审核重点可放在无变更的分析序列上,以确认应用程序持续正常运行。这种方式属于例外审核,是一种更快捷、更简便的审计追踪审核方法。
Are you still convinced that a single SOP for audit trail review is adequate?
您现在还会认为,仅制定一份审计追踪审核的通用 SOP 就足够了吗?
As per GxP regulations and guidance documents, audit trail functionality for each system must be known, understood and validated by each regulated laboratory.
根据 GxP 法规及指导文件,各受监管实验室必须知晓、理解并验证每个系统的审计追踪功能。
Frequency of audit trail review 审计追踪审核频次
Figure 4 depicts the analytical process and records to review for each regulated analysis. All records generated with direct impact on regulatory submission, patient safety and/or product quality are subject to review including the applicable audit trail entries. This means that a routine approach for data audit trail review must be applied after the completion of the operation (e.g., prior to batch release).
图 4 展示了受监管分析项目所涉及的分析流程及需审核的记录。所有对注册申报、患者安全和 / 或产品质量存在直接影响的生成记录均需纳入审核范围,包括相关审计追踪条目。这意味着,数据审计追踪的常规审核必须在相关操作完成后执行(例如在批次放行前完成)。
In addition, and as Figure 3 depicts, a system audit trail only supports product release and is not part of release activities. This is reviewed less frequently under a data integrity audit or periodic review to ensure a system is under control. Nonetheless, as part of a risk-based approach, companies can define their internal policy for routine QA oversight of system audit trail.
此外,如图 3 所示,系统审计追踪仅用于支持产品放行,并非放行活动的组成部分。可在数据完整性审计或定期回顾中以更低频次对其进行审核,以确保系统处于受控状态。尽管如此,企业可基于风险评估原则,制定内部规程,对系统审计追踪实施常规的 QA 监督。
Who should review audit trails? 应由谁对审计追踪进行审核?
As shown in Figure 4, audit trail review is a key part of second person review and must be performed by the originating department, either Analytical Development or Quality Control. PIC/S PI 041-1 states in 9.6.1:
如图 4 所示,审计追踪审核是双人复核(第二人复核)的关键环节,必须由数据产生部门执行,即分析研发部门或质量控制部门。PIC/S PI 041‑1 第 9.6.1 节指出:
… This review should be performed by the originating department, and where necessary verified by the quality unit, e.g. during self-inspection or investigative activities.
该项审核应由数据产生部门执行,必要时由质量部门进行核实,例如在自检或调查活动期间。
This webinar examines the scientific and regulatory forces reshaping safety assessment and what they mean for real-world decision making today.
本次网络研讨会探讨了正在重塑安全性评价工作的科学与监管因素,以及这些因素对当前实际决策的影响。
In GLP, QA needs to be provided with read-only access to e-records and corresponding data/meta data and have sufficient time to perform audit trail review. This principle should be applied to any GxP discipline as part of quality oversight. In many cases there may be minimal QA knowledge of the system and the audit trail within it therefore the laboratory should provide an experienced user to operate the software under direction of the QA.
按照 GLP 规范,质量保证部门(QA)应被授予电子记录及其对应数据 / 元数据的只读权限,并拥有充足时间开展审计追踪审核工作。作为质量监督的一部分,该原则应适用于所有 GxP 合规领域。在许多情况下,QA 人员对系统及其内部审计追踪的了解可能有限,因此实验室应指派一名经验丰富的用户,在 QA 的指导下操作相关软件。
Documenting an audit trail review 审计追踪审核的记录
It is a regulatory expectation to perform and document the data review as discussed earlier. One area that is typically missing from an application is a function to electronically record that a reviewer has reviewed the audit trail entries. In the absence of this feature, statements in the final report that audit trail entries have been reviewed followed by an electronic signature may or may not be acceptable to auditors and inspectors.
如前所述,开展数据审核并形成记录是监管机构的明确要求。软件系统中通常缺失的一项功能是:以电子方式记录审核人员已完成审计追踪条目的审核。在无此功能的情况下,若仅在最终报告中注明已审核审计追踪条目并附上电子签名,检查官与审计人员未必会认可这种方式。
Table 3 summarizes the process and practical functional requirements for an effective audit trail review for batch release. There are no deletion privileges in the system and the storage location is enforced to avoid a reviewer searching for deleted or unofficial test data (see rows 2 and 3). Table 4 outlines the main areas for a periodic review for audit trails entries.
表 3 汇总了为实现批次放行而开展有效审计追踪审核所需的流程与实际功能要求。系统不设置任何删除权限,且强制规定存储位置,以避免审核人员查找已删除或非正式的检测数据(见表 2 和表 3)。表 4 则概述了审计追踪条目定期审核的主要内容。
Suppliers take note; these are key requirements to save users time and effort.供应商请注意:这些是帮助用户节省时间与精力的关键要求。
Table 3: Application functions or settings to speed a second person review for release activities.
表 3:用于加快放行活动中第二人复核工作的应用程序功能或设置
Activity or system function 活动或系统功能 | Scope of work 工作范围 |
1. The performer completes the analysis 操作人员完成分析检测 | The performer has generated analytical data, interpreted them, performed any calculations and electronically signed the analysis report (Figure 4) 操作人员已生成分析数据、完成数据解读、进行相关计算,并对分析报告进行了电子签名(见图 4)。 |
2. Enforced data storage location 强制数据存储位置 | A reviewer does not need to search for unofficial testing 审核人员无需查找非正式检测相关内容。 |
3. No user has data deletion privileges 所有用户均不具备数据删除权限。 | A reviewer does not need to search for deleted data 审核人员无需查找已删除的数据。 |
4. Data changes highlighted in the audit trail allowing Review by Exception 审计追踪中突出显示数据变更,支持异常审核法 | Entries for the analysis presented in the audit trail with changes highlighted 审计追踪中展示的分析条目,数据变更已高亮标注 Highlighted changes allows a reviewer to focus and check on anomalous or unauthorised activities rather than routine entries 高亮显示的变更可使审核人员聚焦并核查异常或未经授权的操作,而非常规条目。 |
5. Software function to document review of the audit trail 用于记录审计追踪审核情况的软件功能 | After review of data and corresponding audit trail entries, the reviewer documents the review, which is recorded in the audit trail 在完成对数据及其对应审计追踪条目的审核后,审核人员对审核过程进行记录,该记录将被录入审计追踪系统中。 |
6.Document the conclusion of the review within the audit trail在审计追踪中记录审核结论 | A reviewer can incorporate the review conclusion e.g., positive statement regarding whether issues were found or not Option to record and resolve any problems found during the review allowing completion of the second person review 提供记录并解决审核期间发现的任何问题的选项,以完成第二人复核流程。 |
7. Electronically sign analysis test report对分析检测报告进行电子签名 | Enforced workflow for e-signature when second person review completed 第二人复核完成后,强制执行电子签名工作流程 |
表 4:数据完整性审计或定期审核期间,可开展的系统级审计追踪核查项目
Periodic review task 定期审核任务 | Scope 范围 |
User account management 用户账户管理 |
|
Review change records 审核变更记录 | |
Performance and reliability性能与可靠性 | |
Instrument problems 仪器故障 |
Archive and restore of e-records including audit trail entries
包含审计追踪条目在内的电子记录归档与恢复
Retention of complete raw data is required to reconstruct history of the course of any GxP activity (the who, what, when and why). When audit trail entries are stored in the system that created them the structure of audit trail(s) within the software matters little. However, if disk capacity is an issue and data need to be archived to free up space, then how audit trails have been implemented may be an issue.
需保留完整原始数据,以还原任何 GxP 活动的全过程历史(即何人、何事、何时及为何开展)。若审计追踪条目存储在生成该数据的系统中,软件内审计追踪的结构则无关紧要。但如果存在磁盘容量问题,需要归档数据以释放空间,那么审计追踪的实现方式就可能成为关键问题。
The separation of system and data audit trails, as shown in Figure 3, allows more effective archive and restore. Here, we provide you with two scenarios to compare archiving approach of single and separate audit trails:
如图 3 所示,将系统审计追踪与数据审计追踪分离,可实现更高效的归档与恢复。在此我们提供两种场景,对比单一审计追踪与分离式审计追踪的归档方案:
Scenario 1: A single audit trail 场景 1:单一审计追踪
Here all actions within the system are recorded in one audit trail. This may have advantages of a big picture but can be difficult to see the activities surrounding a specific analysis unless there are effective search routines. However, there is a potential problem when it comes to archiving data outside of the system. All the analytical data files and associated metadata (data acquisition method, processing method and calculations, e-signed summary reports etc.) and pertinent audit trail entries must be collated into a file for archiving outside of the system. This should be achievable relatively easily.
在此模式下,系统内的所有操作均记录在单一审计追踪中。这种方式的优势在于能够呈现全局视图,但如果缺乏高效的检索程序,很难定位与某一特定分析相关的操作活动。不过,在将数据归档至系统外部时可能存在潜在问题:所有分析数据文件、相关元数据(数据采集方法、处理方法与计算过程、电子签名汇总报告等),以及对应的审计追踪条目,都必须整理为一个文件,才能归档至系统外部。这一操作理论上相对容易实现。
The problem comes with a restore request because of a complaint, audit or inspection. The data can be restored but can the audit trail entries be interleaved back into the single audit trail of the application? Furthermore, can any reinterpretation of the data be captured? At the end of the work, can data be archived again with all the new data entries and audit trail entries? Consider the system's retention capability: some systems will start overwriting when they hit their storage limit, sometimes with no warning. This is the case with some analytical instruments with a so-called ring buffer.
当因投诉、审计或检查需要提出恢复请求时,问题便会显现。数据本身可以恢复,但审计追踪条目能否重新穿插回应用程序的单一审计追踪中?此外,对数据的任何重新解读操作能否被完整记录?工作完成后,能否将所有新增数据条目与审计追踪条目一并再次归档?需考虑系统的留存能力:部分系统在达到存储上限时会开始覆盖原有数据,有时甚至不会发出任何预警。一些分析仪器采用所谓的环形缓冲区,便存在此类情况。
If these questions cannot be answered during your evaluation before purchase, you may be storing up problems for the future.
如果在采购前的评估阶段无法解答这些问题,可能会给日后埋下隐患。
Scenario 2: System and data audit trails
场景 2:系统审计追踪与数据审计追踪
In a system that separates audit trail entries between system and data events, an alternative archiving approach can be seen.
在将系统事件与数据事件的审计追踪条目分开记录的系统中,可以采用另一种归档方式。
Data level archiving: The structure of data package is based around a folder within the database where all data and metadata including the audit trail entries reside. As such, it is technically easier to collate all data elements into a single file, export from the system and store in a secure location. Restoring the archived data is easier than in scenario 1 as there is no need to interleave audit trail entries into a system level audit trail. Evaluate the archive and restore process before purchase.
数据级归档:数据包的结构以数据库中的一个文件夹为核心,所有数据及元数据(包括审计追踪条目)均存储于此。因此,从技术层面而言,将所有数据单元整理为单个文件、从系统导出并存储至安全位置更为简便。与场景 1 相比,归档数据的恢复操作也更为简单,无需将审计追踪条目重新并入系统级审计追踪中。请在采购前对归档与恢复流程进行评估。
System level audit trail archiving: Over time, a system level audit trail will keep growing. At some point, the entries will need to be archived but must remain readable and searchable by the application. Again, the archiving and readability of system audit trail entries need to be assured before purchase.
系统级审计追踪归档:随着时间推移,系统级审计追踪会持续不断增长。在某一阶段,相关条目需要进行归档处理,但必须保证仍可被应用程序读取和检索。同样,在设备采购前,需确保系统审计追踪条目的可归档性与可读性。
Possibility of creating a true copy as well as searching and sorting of the retained audit trails are serious areas that need to be questioned during system selection.
能否生成真实副本,以及对留存的审计追踪记录进行检索与排序的能力,是系统选型过程中必须重点质询的关键问题。
A word of warning, although the laboratory may spend time and effort on evaluation and selection of a system all the work may be undone by the Purchasing Department seeking to obtain a cheaper price by buying a different system. To avoid this, spend time with Purchasing explaining the rationale why a specific system is required.
Specification of audit trail requirements 审计追踪要求规范
As part of defining the intended use of any computerized system, functional requirements for audit trail(s) must be written, tested and verified as part of the validation efforts.
在确定任何计算机化系统的预期用途时,必须将审计追踪的功能需求形成文件,并作为验证工作的一部分进行测试与确认。
In March 2017, an initiative on “e-Compliance Requirements” was launched to help the regulated industry adequately define a set of e-compliance requirements for various types of computerized systems, including audit trails. The objective is to define requirements in a unified way to provide clear compliance expectations for system suppliers and developers. The e-Compliance Requirements Initiative (eCRI) is an international initiative and can be viewed at eCRI - e-Compliance Requirements Initiative - ecri. tech where the contact email will be found. The eCRI initiative covers not just audit trail requirements but also other compliance areas such as backup, user account management, etc.
2017 年 3 月,一项名为电子合规要求的专项计划正式启动,旨在帮助受监管行业针对各类计算机化系统充分制定一套电子合规要求,其中包含审计追踪相关内容。该计划的目标是统一制定要求,为系统供应商和开发方明确合规预期。电子合规要求计划(eCRI)是一项国际性计划,相关信息可通过网站 ecri.tech 查询,网站上亦提供联系邮箱。eCRI 计划不仅涵盖审计追踪要求,还涉及备份、用户账户管理等其他合规领域。
Requirements need to be either testable or verifiable as written not as interpreted. An example of a bad and untestable requirement is the ever popular:各项需求必须按书面原文可测试或可验证,而非依赖主观解读。以下是一个典型的、糟糕且不可测试的需求示例,这类表述十分常见:
The system must comply with 21 CFR 11 (or Annex 11) regulations
系统必须符合 21 CFR 第 11 部分(或附件 11)法规要求。
A better approach is to take each regulatory requirement and break it down into testable portions.
更优的做法是,将每条法规要求逐一拆解为可测试的具体条款。
What should an audit trail record when creating a record? 创建记录时,审计追踪应记录哪些内容? How is a modification recorded by the audit trail? 审计追踪如何记录修改操作?
We have not provided any specific detail as each system’s audit trail is different. Intelligent modification of requirements is what is required: tailor your AT requirements to each system. Remember, a URS (User Requirements Specification) is a living document and specification requirements can be modified, deleted and added over the lifecycle.
我们未提供任何具体细节,因为各系统的审计追踪功能不尽相同。需要对需求进行合理优化调整:根据不同系统量身定制审计追踪(AT)要求。请记住,用户需求标准(URS)是一份动态文件,在其生命周期内可对规格要求进行修改、删除或补充。
Caution clowns at play! 当心:小丑出没!
The saying never assume malice when stupidity will suffice is tested to the limit in a recent example from a URS for an instrument purchase. The company (name not mentioned to protect the guilty) wrote this mandatory audit trail requirement in the URS:
这句谚语:“凡能用愚蠢解释的,就不要归咎于恶意”在近期一份仪器采购的用户需求说明(URS)案例中,被体现得淋漓尽致。某公司(为保护当事人,隐去名称)在其 URS 中写下了这条强制性审计追踪要求:
… in exceptional cases, where the alteration of computer-generated audit trails is unavoidable … modifications (of the audit trail) must occur in a controlled way… 在特殊情况下,若对计算机生成的审计追踪记录进行修改不可避免…… 则(对审计追踪的)修改必须以受控方式开展……
There are two issues here: 这里存在两个问题:
Which part of secure and computer-generated audit trail regulations in Annex 11 or 21 CFR 11 do these clowns not understand? 这些人根本没搞懂《欧盟 GMP 附件 11》或《21 CFR Part 11》中关于安全、计算机生成的审计追踪法规的哪一部分? The “innocent” request to “alter” audit trail entries is a thinly disguised attempt at data falsification by design. 这种看似 “无伤大雅” 的修改审计追踪条目的要求,本质上是一种刻意进行数据造假的、不加掩饰的企图。
Any audit trail must be robust, computer generated and secure which implies that it must always be switched on from installation onward. In addition, to ensure all GxP records and data are trustworthy and reliable NO CHANGES to any audit trail event must be allowed and No User should have the ability to modify audit trail events. Suppliers offering applications with these audit trail options should not be considered further.
任何审计追踪均必须可靠耐用、由计算机自动生成且安全可控,这意味着从系统安装起就必须始终保持开启状态。此外,为确保所有 GxP 记录与数据真实可信,严禁对任何审计追踪事件进行修改,且任何用户均无权修改审计追踪事件。对于提供此类可修改审计追踪功能的供应商,不应再纳入后续评估范围。
Another scenario may present itself, even if you have adequate audit trail functionality, some laboratories may still want to use procedural controls to record changes. This is not feasible for a digitalized laboratory and has a high potential for a regulatory citation.
还可能出现另一种情况:即便审计追踪功能完备,部分实验室仍希望通过程序控制来记录修改操作。这在数字化实验室中不可行,且极有可能导致监管机构出具缺陷项。
Audit trail implications when interfacing systems
系统对接时的审计追踪相关影响
We have focused on ATs for a single system, but in a digitalized laboratory, applications will be interfaced for data transfer. Accordingly, the audit trails in both systems need to record the sequential export of data from one system and import or transfer into another by whichever means (e.g., secure file transfer or application programming interface). Where systems are sited in different time zones or locations, the validation needs to account for these differences to ensure trust in the systems and process.
我们此前重点讨论了单一系统的审计追踪(AT),但在数字化实验室中,各类应用系统会通过接口实现数据传输。因此,两个系统中的审计追踪均需记录数据按顺序从一个系统导出,并通过任意方式(如安全文件传输、应用程序编程接口)导入或传输至另一系统的全过程。若系统部署于不同时区或不同地点,验证工作需考虑这些差异,以确保系统与流程的可信度。
Summary 总结
An audit trail is critical in a digitalized regulated laboratory to ensure trustworthiness, reliability and integrity of electronic records. We reviewed GxP regulations and guidance documents to identify important functions of audit trails and their design. Although the regulations are consistent, implementation of audit trail(s) in an individual system varies greatly leading to the requirement to have separate SOPs for the effective review. System design can impact the ability to archive and restore audit trails as part of record retention.
在数字化合规实验室中,审计追踪对于确保电子记录的真实性、可靠性与完整性至关重要。我们通过查阅 GxP 法规及指南文件,明确了审计追踪的关键功能及其设计要点。尽管法规要求保持一致,但审计追踪在各系统中的实施方式差异极大,因此需要制定独立的标准操作规程(SOP)以实现有效审核。系统设计会影响审计追踪作为记录保存一部分的归档与恢复能力。
Acknowledgements
We thank Monika Andraos, Akash Arya, Peter Baker, Markus Dathe, Eberhard Kwiatkowski, Yves Samson, Paul Smith, Christoph Tausch and Stefan Wurzer for their constructive review comments in preparing this listicle.
致谢
感谢Monika Andraos、Akash Arya、Peter Baker、Markus Dathe、Eberhard Kwiatkowski、Yves Samson、Paul Smith、Christoph Tausch和Stefan Wurzer在准备本列表时提供的建设性评论。
Reference
1. 21 CFR 58 Good Laboratory Practice for Non-Clinical Laboratory Studies. Washington, DC: Food and Drug Administration. 1978.
2. 21 CFR 211 - Current Good Manufacturing Practice for Finished Pharmaceuticals. Federal Register. 1978:45014–45089.
3. Able Laboratories Form 483 Observations. 2005. https://www.fda.gov/media/70711/download
4. 21 CFR Part 11; Electronic Records; Electronic Signatures Final Rule. Federal Register. 1997;62(54):13430–13466.
5. FDA Guidance for Industry, Part 11, Electronic Records; Electronic Signatures Scope and Application. Rockville, MD: Food and Drug Administration. 2003.
6. 21 CFR Parts 16 and 58 Good Laboratory Practice for Nonclinical Laboratory Studies; Proposed Rule. Federal Register. 2016;81(164):58342– 58380.
7. FDA Guidance for Industry Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers. Silver Spring, MD: Food and Drug Administration. 2024.
8. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Annex 11 Computerised Systems. Brussels: European Commission. 1992.
9. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Annex 11 Computerised Systems. Brussels: European Commission. 2011.
10. Concept Paper on the Revision of Annex 11 of the Guidelines on Good Manufacturing Practice for Medicinal Products – Computerised Systems. European Medicines Agency & Pharmaceutical Inspection Cooperation Scheme. 2022.
11. ICH Harmonised Guideline - Guideline for Good Clinical Practice E6(R3). International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. 2025.
12. MHRA GXP Data Integrity Guidance and Definitions. Medicines and Healthcare products Regulatory Agency. 2018.
13. PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP / GDP Environments. Geneva: Pharmaceutical Inspection Convention / Pharmaceutical Inspection Cooperation Scheme. 2021.
14. OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring, Number 22, Advisory Document of the Working Party on Good Laboratory Practice on GLP Data Integrity. Paris: Organisation of Economic Cooperation and Development. 2021.
15. Smith PA, McDowall RD. Analysis of FDA Infra-Red 483 citations – Have you a data integrity problem? Spectroscopy. 2019;34(9):22-28.
16. FDA Warning Letter BBC Group Limited. Food and Drug Administration. 2021.
17. EMA Guideline on Computerised Systems and Electronic Data in Clinical Trials. Amsterdam: European Medicines Agency; 2023.
18. McDowall RD. Is traceability the glue for ALCOA, ALCOA+ or ALCOA++? Spectroscopy. 2022;37(4):13–19.
19. FDA Draft Guidance for Industry Data Integrity and Compliance with cGMP. Silver Spring, MD, USA. 2016.
20. FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers. Silver Spring, MD: Food and Drug Administration. 2018.
21. FDA Draft Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps. Rockville, MD: Food and Drug Administration. 2002.
22. FDA Guidance for Industry Computerised Systems Used in Clinical Investigations. Rockville, MD: Food and Drug Administration. 2007.
23. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 4 Documentation. Brussels: European Commission. 2011.
24. OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 1, OECD Principles on Good Laboratory Practice. Paris: Organisation for Economic Co-operation and Development. 1998.
25. WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. Geneva: World Health Organisation. 2016.
26. 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products. Silver Spring, MD: Food and Drug Administration. 2008.
27. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 6 Quality Control. Brussels: European Commission. 2014.
28. GAMP Good Practice Guide: Data Integrity by Design. International Society for Pharmaceutical Engineering. 2020.
29. OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 17 on Good Laboratory Practice Application of GLP Principles to Computerised Systems. Paris: Organisation for Economics Co-Operation and Development. 2022.
30. McDowall RD. Validation of Chromatography Data Systems: Ensuring Data Integrity, Meeting Business and Regulatory Requirements. Second Edition ed. Royal Society of Chemistry. 2017.
31. WHO Technical Report Series 1033, Annex 4 Guideline on Data integrity. Geneva: World Health Organisation. 2021.
为帮助审核人员更快处理,请填写举报原因:
为帮助审核人员更快处理,请填写举报原因: